Model Development and Application to Identify and Halt Malware

2. The apparatus of claim 1, wherein the instructions, when executed, cause the one or more processors to assign weights to the features associated with the file system event based on the impact of the feature candidates on the target malware prediction.

3. The apparatus of claim 1, wherein the first portion of the original file is a first 4k bits of the original file, wherein the first portion of the modified file is a first 4k bits of the modified file, wherein the last portion of the original file is a last 4k bits associated with the original file, and wherein the last portion of the modified file is a last 4k bits associated with the modified file.

4. The apparatus of claim 1, wherein the feature candidates include an entropy of the predetermined portion of the original or modified file, a Monte Carlo pi estimate obtained based on the predetermined portion of the original or modified file, a Monte Carlo pi estimation error based on the predetermined portion of the original or modified file, a serial correlation coefficient associated with the predetermined portion of the original or modified file, a chi square associated with the original or modified file, or an arithmetic mean associated with the original or modified file.

8. The apparatus of claim 7, wherein the instructions, when executed, cause the one or more processors to assign weights to the features associated with the file system event based on the impact of the feature candidates on the target malware prediction.

10. The method of claim 9, further including assigning weights to the features associated with the file system event based on the impact of the feature candidates on the target malware prediction.

11. The method of claim 9, wherein the predetermined portion of the original or modified file is associated with at least one of a first 4k bits of the original file, a first 4k bits of the modified file, a last 4k bits associated with the original file, a last 4k bits associated with the modified file.

12. The method of claim 11, wherein the feature candidates include an entropy of the predetermined portion of the original or modified file, a Monte Carlo pi estimate obtained based on the predetermined portion of the original or modified file, a Monte Carlo pi estimation error based on the predetermined portion of the original or modified file, a serial correlation coefficient associated with the predetermined portion of the original or modified file, a chi square associated with the original or modified file, or an arithmetic mean associated with the original or modified file.

13. The method of claim 9, further including evaluating test data to determine whether the features associated with the file system event overfit training data, the features associated with the file system event to overfit the training data in response to an accuracy of the malware prediction being higher for the training data compared to the test data.

16. The non-transitory computer readable medium of claim 15, wherein the instructions, when executed, cause the one or more processing units to assign weights to the features associated with the file system event based on the impact of the feature candidates on the target malware prediction.

17. The non-transitory computer readable medium of claim 15, wherein the predetermined portion of the original or modified file is associated with at least one of a first 4k bits of the original file, a first 4k bits of the modified file, a last 4k bits associated with the original file, a last 4k bits associated with the modified file.

18. The non-transitory computer readable medium of claim 17, wherein the feature candidates include an entropy of the predetermined portion of the original or modified file, a Monte Carlo pi estimate obtained based on the predetermined portion of the original or modified file, a Monte Carlo pi estimation error based on the predetermined portion of the original or modified file, a serial correlation coefficient associated with the predetermined portion of the original or modified file, a chi square associated with the original or modified file, or an arithmetic mean associated with the original or modified file.

19. The non-transitory computer readable medium of claim 15, wherein the instructions, when executed, cause the one or more processing units to evaluate test data to determine whether the features associated with the file system event overfit training data, the features associated with the file system event to over-fit the training data in response to an accuracy of the malware prediction being higher for the training data compared to the test data.